b'   DEPARTMENT OF HEALTH & HUMAN SERVICES                                             Office of Inspector General\n                                                                                     Washington, D.C. 20201\n                                              OCT 2 7 2008\n\n\n\n\nTO:            Kerry Weems\n               Acting Administrator\n               Centers for Medicare & Medicaid Services\n\n\nFROM:          Daniel R. Levinson   ~ ~. ~\n               Inspector General\n\n\nSUBJECT:       Nationwide Review of the Centers for Medicate & Medicaid Services Health\n               Insurance Portability and Accountability Act of 1996 Oversight (A-04-07~05064)\n\n\nThe attached final report provides the results of our review of the Centers for Medicare &\nMedicaid Services (CMS) oversight and enforcement of covered entities\' implementation of the\nHealth Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.\n\nOn August 21, 1996, Congress enacted HIPAA (P.L. No. 104-191). HIPAA established national\nstandards that protect the confidentiality and integrity of electronic protected health information\n(ePHI) while it is being stored or transmitted between entities. The HIPAA Administrative\nSimplification was added to the Social Security Act. The HIPAA Security Rule is a component\nof the HIPAA Administrative Simplification security standards.\n\nOn October 7, 2003, the U.S. Department of Health and Human Services delegated to CMS:\n(I) the authority and responsibility to interpret, implement, and enforce the HIPAA Security\nRule provisions; (2) the authority to conduct compliance reviews and to investigate and resolve\ncomplaints of HIPAA Security Rule noncompliance; and (3) the authority to impose civil\nmonetary penalties for a covered entity\'s failure to complywith the HIPAA Security Rule\nprovisions. The Final Rule for enforcement of this delegation became effective on February 16,\n2006.\n\nOur objective was to evaluate the effectiveness ofCMS\'s oversight and enforcement of covered\nentities\' implementation of the HIPAA Security Rule.\n\nCMS had taken limited actions to ensure that covered entities adequately implement the HIPAA\nSecurity Rule. These actio:ijs had not provided effective oversight or encouraged enforcement of\nthe HIPAA Security Rule by covered entities. Although authorized to do so by Federal,\nregulations as of February 16,2006, CMS had not conducted any HIPAA Security Rule\ncompliance reviews of covered entities. To fulfill its oversight responsibilities, CMS r{{lied on\ncomplaints to identify any noncompliant covered entities that it might investigate. As a result,\n\x0cPage 2 \xe2\x80\x93 Kerry Weems\n\n\nCMS had no effective mechanism to ensure that covered entities were complying with the\nHIPAA Security Rule or that ePHI was being adequately protected.\n\nAlthough reliance on complaints alone was ineffective for identifying noncompliant covered\nentities, we noted that CMS had an effective process for receiving, categorizing, tracking, and\nresolving complaints. CMS has developed and implemented detailed procedures for receiving\ncomplaints, communicating with filed-against entities, coordinating with the Office for Civil\nRights for complaints with privacy elements, developing corrective action plans, and remediating\ncomplaints.\n\nOngoing Office of Inspector General audits of various hospitals nationwide indicate that CMS\nneeds to become more proactive in overseeing and enforcing implementation of the HIPAA\nSecurity Rule by focusing on compliance reviews. Preliminary results of these audits show\nnumerous, significant vulnerabilities in the systems and controls intended to protect ePHI at\ncovered entities. These vulnerabilities place the confidentiality and integrity of ePHI at high\nrisk. During our audit, CMS began taking steps to conduct compliance reviews. After we\ncompleted our fieldwork but before we issued our report, CMS executed a contract to conduct\ncompliance reviews at covered entities.\n\nWe recommend that CMS establish policies and procedures for conducting HIPAA Security\nRule compliance reviews of covered entities.\n\nCMS did not agree with our findings because it believes that its complaint-driven enforcement\nprocess has furthered the goal of voluntary compliance. CMS agreed, however, that compliance\nreviews are a useful enforcement tool as part of a more comprehensive enforcement strategy.\nCMS agreed with our recommendation to establish specific policies and procedures for\nconducting compliance reviews of covered entities but emphasized that compliance reviews are\njust one of several tools that can be used to promote compliance.\n\nAlthough CMS\xe2\x80\x99s complaint-driven enforcement process has furthered the goal of voluntary\ncompliance, the significant vulnerabilities we identified at hospitals throughout the country\nwould not generally have been identified in HIPAA Security Rule complaints. In fact, CMS has\nreceived very few complaints regarding potential HIPAA Security Rule violations. Including\ncompliance reviews of covered entities to its oversight process will enhance CMS\xe2\x80\x99s ability to\ndetermine whether the HIPAA Security Rule is being properly implemented.\n\nPursuant to the principles of the Freedom of Information Act, 5 U.S.C. \xc2\xa7 552, as amended by\nP.L. No. 104-231, Office of Inspector General reports generally are made available to the public\nto the extent the information is not subject to exemptions in the Act (45 CFR part 5).\nAccordingly, the final report will be posted on the Internet at http://oig.hhs.gov.\n\nIf you have any questions or comments about this report, please do not hesitate to call me, or\nyour staff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal Activities,\nand IT Audits, at (202) 619-1175 or through e-mail at Lori.Pilcher@oig.hhs.gov or\n\x0cPage 3 \xe2\x80\x93 Kerry Weems\n\n\nPeter J. Barbera, Regional Inspector General for Audit Services, Region IV, at (404) 562-7750 or\nthrough e-mail at Peter.Barbera@oig.hhs.gov. Please refer to report number A-04-07-05064 in\nall correspondence.\n\n\nAttachment\n\n\ncc:\nWynethea N. Walker\nDirector, Audit Liaison Staff\nCenters for Medicare & Medicaid Services\n\nAnthony Trenkle\nDirector, Office of E-Health Standards and Services\nCenters for Medicare & Medicaid Service\n\x0cDepartment of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\n NATIONWIDE REVIEW OF THE\n  CENTERS FOR MEDICARE &\n MEDICAID SERVICES HEALTH\n INSURANCE PORTABILITY AND\n ACCOUNTABILITY ACT OF 1996\n        OVERSIGHT\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                      October 2008\n                      A-04-07-05064\n\x0c                    Office of Inspector General\n                                      http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                           Notices\n\n\n\n       THIS REPORT IS AVAILABLE TO THE PUBLIC\n                 at http://oig.hhs.gov\n\nPursuant to the principles of the Freedom of Information Act, 5 U.S.C.\n\xc2\xa7 552, as amended by Public Law 104-231, Office of Inspector General\nreports generally are made available to the public to the extent the\ninformation is not subject to exemptions in the Act (45 CFR part 5).\n\n OFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\nThe designation of financial or management practices as questionable, a\nrecommendation for the disallowance of costs incurred or claimed, and\nany other conclusions and recommendations in this report represent the\nfindings and opinions of OAS. Authorized officials of the HHS operating\ndivisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nOn August 21, 1996, Congress enacted P.L. No. 104-191, the Health Insurance Portability and\nAccountability Act of 1996 (HIPAA). Sections 261 and 262 of HIPAA established national\nstandards that protect the confidentiality and integrity of electronic protected health information\n(ePHI) while it is being stored or transmitted between entities.\n\nThe HIPAA Administrative Simplification was added to the Social Security Act (the Act) in\nsections 1171 through 1179. The HIPAA Security Rule is a component of the HIPAA\nAdministrative Simplification security standards and is integrated into 45 CFR parts 160, 162,\nand 164. Both the Act and the HIPAA Security Rule require a covered entity, such as a health\nplan or health care provider that transmits any health information in electronic form (45 CFR\n\xc2\xa7 160.103(3)), to (1) ensure the integrity and confidentiality of the information, (2) protect\nagainst any reasonably anticipated threats or risks to the security or integrity of the information,\nand (3) protect against unauthorized uses or disclosures of the information (HIPAA,\nP.L. No. 104-191, \xc2\xa7 262, 45 CFR part 164, subpart C).\n\nOn October 7, 2003, the Department of Health and Human Services delegated to the Centers for\nMedicare & Medicaid Services (CMS) (1) the authority and responsibility to interpret,\nimplement, and enforce the HIPAA Security Rule provisions; (2) the authority to conduct\ncompliance reviews and to investigate and resolve complaints of HIPAA Security Rule\nnoncompliance; and (3) the authority to impose civil monetary penalties for a covered entity\xe2\x80\x99s\nfailure to comply with the HIPAA Security Rule provisions. The Final Rule for enforcement of\nthis delegation became effective on February 16, 2006.\n\nThe Office of E-Health Standards and Services developed and published HIPAA Security Rule\nregulations and guidance materials for covered entities. An example is the March 25, 2005,\nFederal Register notice on how to file a complaint (70 Fed. Reg. 15329). The Office of E-Health\nStandards and Services also published a series of security papers to give covered entities insight\ninto the HIPAA Security Rule and assistance with implementation of the security standards.\n\nOBJECTIVE\n\nOur objective was to evaluate CMS\xe2\x80\x99s oversight and enforcement of covered entities\xe2\x80\x99\nimplementation of the HIPAA Security Rule.\n\nSUMMARY OF FINDINGS\n\nCMS had taken limited actions to ensure that covered entities adequately implement the HIPAA\nSecurity Rule. These actions had not provided effective oversight or encouraged enforcement of\nthe HIPAA Security Rule by covered entities. Although authorized to do so by Federal\nregulations, CMS had not conducted any HIPAA Security Rule compliance reviews of covered\nentities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any\nnoncompliant covered entities that it might investigate. As a result, CMS had no effective\n\n                                                  i\n\x0cmechanism to ensure that covered entities were complying with the HIPAA Security Rule or that\nePHI was being adequately protected.\n\nAlthough reliance on complaints alone was ineffective for identifying noncompliant covered\nentities, we noted that CMS had an effective process for receiving, categorizing, tracking, and\nresolving complaints. CMS had developed and implemented detailed procedures for receiving\ncomplaints, communicating with filed-against entities, coordinating with the Office for Civil\nRights for complaints that potentially violate both the HIPAA Security and Privacy Rules,\ndeveloping corrective action plans, and remediating complaints.\n\nOur ongoing audits of various hospitals nationwide indicate that CMS needs to become proactive\nin overseeing and enforcing implementation of the HIPAA Security Rule by focusing on\ncompliance reviews. Preliminary results of these audits show numerous, significant\nvulnerabilities in the systems and controls intended to protect ePHI at covered entities. These\nvulnerabilities place the confidentiality and integrity of ePHI at high risk. During our audit,\nCMS began taking steps to conduct compliance reviews. After we completed our fieldwork but\nbefore we issued our report, CMS executed a contract to conduct compliance reviews at covered\nentities.\n\nRECOMMENDATION\n\nWe recommend that CMS establish policies and procedures for conducting HIPAA Security\nRule compliance reviews of covered entities.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\nAND OFFICE OF INSPECTOR GENERAL RESPONSE\n\nCMS did not agree with our findings because it believes that its complaint-driven enforcement\nprocess has furthered the goal of voluntary compliance. CMS agreed, however, that compliance\nreviews are a useful enforcement tool as part of a more comprehensive enforcement strategy that\nalso includes complaint investigation and resolution, outreach, education, and working closely\nwith industry to identify and correct security issues.\n\nCMS agreed with our recommendation to establish specific policies and procedures for\nconducting compliance reviews of covered entities but emphasized that compliance reviews are\njust one of several tools that can be used to promote compliance as part of a comprehensive\nenforcement strategy. CMS\xe2\x80\x99s comments are included in their entirety in the Appendix.\n\nAlthough CMS\xe2\x80\x99s complaint-driven enforcement process has furthered the goal of voluntary\ncompliance, the significant vulnerabilities we identified at hospitals throughout the country\nwould not generally have been identified in HIPAA Security Rule complaints. In fact, CMS has\nreceived very few complaints regarding potential HIPAA Security Rule violations. Including\ncompliance reviews of covered entities in its oversight process will enhance CMS\xe2\x80\x99s ability to\ndetermine whether the HIPAA Security Rule is being properly implemented.\n\n\n\n\n                                                ii\n\x0c                                                  TABLE OF CONTENTS\n\n                                                                                                                                  Page\n\nINTRODUCTION................................................................................................................... 1\n\n          BACKGROUND .......................................................................................................... 1\n              Delegation of Authority To Administer the Health Insurance\n               Portability and Accountability Act of 1996 Security Rule ............................ 1\n              Office of E-Health Standards and Services ...................................................... 1\n\n          OBJECTIVE, SCOPE, AND METHODOLOGY ........................................................ 2\n               Objective ........................................................................................................... 2\n               Scope................................................................................................................. 2\n               Methodology ..................................................................................................... 3\n\nFINDINGS AND RECOMMENDATION............................................................................ 3\n\n          FEDERAL AUTHORITIES RELATING TO ENFORCEMENT OF\n           THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY\n           ACT OF 1996 SECURITY RULE ............................................................................ 4\n\n          LIMITED ACTION TO ENSURE COMPLIANCE .................................................... 5\n\n          COMPLIANCE REVIEW PROCEDURES NOT ESTABLISHED............................ 5\n\n          ELECTRONIC PROTECTED HEALTH INFORMATION AT RISK ....................... 5\n\n          RECOMMENDATION ................................................................................................ 5\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ................. 6\n\n          OFFICE OF INSPECTOR GENERAL RESPONSE ................................................... 6\n\nAPPENDIX\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                                                                    iii\n\x0c                                        INTRODUCTION\n\nBACKGROUND\n\nOn August 21, 1996, Congress enacted P.L. No. 104-191, the Health Insurance Portability and\nAccountability Act of 1996 (HIPAA). Sections 261 and 262 of HIPAA established national\nstandards that protect the confidentiality and integrity of electronic protected health information\n(ePHI) while it is being stored or transmitted between entities.\n\nThe HIPAA Administrative Simplification was codified in sections 1171 through 1179 of the\nSocial Security Act (the Act). The HIPAA Security Rule is a component of the HIPAA\nAdministrative Simplification security standards and is integrated into 45 CFR parts 160, 162,\nand 164. Both the Act and the HIPAA Security Rule require a covered entity, defined as a health\nplan, health care clearinghouse, or health care provider that transmits any health information in\nelectronic form (45 CFR \xc2\xa7 160.103(3)) to (1) ensure the integrity and confidentiality of the\ninformation, (2) protect against any reasonably anticipated threats or risks to the security or\nintegrity of the information, and (3) protect against unauthorized uses or disclosures of the\ninformation (HIPAA, P.L. No. 104-191, \xc2\xa7 262, 45 CFR part 164, subpart C).\n\nDelegation of Authority To Administer the Health Insurance Portability\nand Accountability Act of 1996 Security Rule\n\nOn October 7, 2003, the Department of Health and Human Services (HHS) delegated to the\nCenters for Medicare & Medicaid Services (CMS) (1) the authority and responsibility to\ninterpret, implement, and enforce the HIPAA Security Rule provisions; (2) the authority to\nconduct compliance reviews and to investigate and resolve complaints of HIPAA Security Rule\nnoncompliance; and (3) the authority to impose civil monetary penalties for a covered entity\xe2\x80\x99s\nfailure to comply with the HIPAA Security Rule provisions. The Final Rule for enforcement of\nthis delegation became effective on February 16, 2006.\n\nOffice of E-Health Standards and Services\n\nTo bring together its responsibilities under HIPAA, including enforcement, CMS created a new\noffice in 2002 that later became known as the Office of E-Health Standards and Services\n(OESS). Some of the functions for which CMS created OESS included:\n\n   \xe2\x80\xa2   developing regulations and guidance materials and providing technical assistance on the\n       HIPAA Administrative Simplification provisions for transactions, code sets, identifiers,\n       and security;\n\n   \xe2\x80\xa2   developing and implementing the enforcement program for HIPAA Administrative\n       Simplification provisions; and\n\n   \xe2\x80\xa2   developing and implementing an outreach program for HIPAA Administrative\n       Simplification provisions by formulating and coordinating a public relations campaign,\n\n\n                                               1\n\x0c        preparing and delivering presentations and speeches, responding to inquiries on HIPAA\n        issues, and maintaining liaison with industry representatives.\n\nOESS developed and published HIPAA Security Rule regulations and guidance materials for\ncovered entities. An example includes the March 25, 2005, Federal Register notice on how to\nfile a complaint (70 Fed. Reg. 15329). OESS also published a series of security papers designed\nto give covered entities insight into the HIPAA Security Rule and assistance with\nimplementation of the security standards. These publications explained specific requirements,\nthe thought process behind those requirements, and possible ways to address the provisions.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nOur objective was to evaluate CMS\xe2\x80\x99s oversight and enforcement of covered entities\xe2\x80\x99\nimplementation of the HIPAA Security Rule.\n\nScope\n\nOur audit focused primarily on determining whether CMS effectively:\n\n    \xe2\x80\xa2   identified and investigated HIPAA Security Rule violations,\n    \xe2\x80\xa2   ensured covered entity compliance with the HIPAA Security Rule, and\n    \xe2\x80\xa2   imposed civil monetary penalties for violations of the HIPAA Security Rule.\n\nWe reviewed CMS\xe2\x80\x99s oversight and enforcement activities from October 7, 2003, when it\nreceived the delegation of authority and responsibility to interpret, implement, and enforce the\nnonprivacy HIPAA regulations, 1 through August 24, 2007.\n\nWe conducted our fieldwork from July 25, 2007, through August 24, 2007, at CMS headquarters\nin Baltimore, Maryland.\n\nOur review of CMS\xe2\x80\x99s internal controls was limited to the controls in place to provide oversight\nand enforcement of the HIPAA Security Rule.\n\n\n\n\n1\n The authority for administering and enforcing compliance with the HIPAA Privacy Rule has been delegated to the\nHHS Office of Civil Rights (OCR) (65 Fed. Reg. 82381 (Dec. 28, 2000)). The authority for administering and\nenforcing compliance with the nonprivacy HIPAA rules has been delegated to CMS (68 Fed. Reg. 60694 (Oct. 23,\n2003)).\n\n                                                     2\n\x0cMethodology\n\nTo accomplish our objective, we:\n   \xe2\x80\xa2   reviewed applicable Federal requirements,\n   \xe2\x80\xa2   reviewed CMS\xe2\x80\x99s policies and procedures for identifying and investigating alleged\n       HIPAA Security Rule provision violations,\n   \xe2\x80\xa2   reviewed the HIPAA Security Rule guidance CMS made available to covered entities,\n   \xe2\x80\xa2   reviewed OESS\xe2\x80\x99s organizational charts,\n   \xe2\x80\xa2   interviewed OESS and OCR officials to determine how complaints with security and\n       privacy elements were coordinated,\n   \xe2\x80\xa2   interviewed CMS Office of the General Counsel officials to determine the CMS process\n       for assessing civil monetary penalties, and\n   \xe2\x80\xa2   tested for completeness OESS\xe2\x80\x99s complaint-processing methodology and documentation\n       using selected complaints from OESS\xe2\x80\x99s Administrative Simplification Enforcement Tool.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective.\n\n                          FINDINGS AND RECOMMENDATION\n\nCMS had taken limited actions to ensure that covered entities adequately implement the HIPAA\nSecurity Rule. These actions had not provided effective oversight or encouraged enforcement of\nthe HIPAA Security Rule by covered entities. Although authorized to do so by Federal\nregulations as of February 16, 2006, CMS had not conducted any HIPAA Security Rule\ncompliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on\ncomplaints to identify any noncompliant entities that it might investigate. As a result, CMS had\nno effective mechanism to ensure that covered entities were complying with the HIPAA Security\nRule or that ePHI was being adequately protected.\n\nAlthough reliance on complaints alone was ineffective for identifying noncompliant covered\nentities, we noted that CMS had an effective process for receiving, categorizing, tracking, and\nresolving complaints. CMS had developed and implemented detailed procedures for receiving\ncomplaints, communicating with filed-against entities, coordinating with OCR for complaints\nabout potential violations of both the HIPAA Security and Privacy Rules, developing corrective\naction plans, and remediating complaints.\n\nOur ongoing audits of various hospitals nationwide indicate that CMS needs to become proactive\nin overseeing and enforcing implementation of the HIPAA Security Rule by focusing on\ncompliance reviews. Preliminary results of these audits show numerous, significant\nvulnerabilities in the systems and controls intended to protect ePHI at covered entities. These\n\n                                             3\n\x0cvulnerabilities place the confidentiality and integrity of ePHI at high risk. During our audit,\nCMS began taking steps to conduct compliance reviews. After we completed our fieldwork but\nbefore we issued our report, CMS executed a contract to conduct compliance reviews at covered\nentities.\n\nFEDERAL AUTHORITIES RELATING TO ENFORCEMENT OF THE HEALTH\nINSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996\nSECURITY RULE\n\nCongress enacted sections 261 and 262 of HIPAA to establish national standards for protecting\nthe confidentiality and integrity of ePHI and for addressing all aspects of the security of ePHI\nwhile it is being stored or transmitted between entities. The standards were implemented in\nregulations in 45 CFR, parts 160, 162, and 164. The regulations relating to the general\nadministration (such as compliance reviews and civil money penalties) of the HIPAA Security\nRule are found in part 160; the applicable standards and implementation specifications for ePHI\nare found in subpart C of part 164.\n\nHHS delegated the authority and responsibility to CMS:\n\n   \xe2\x80\xa2   to interpret, implement, and enforce the nonprivacy HIPAA regulations;\n   \xe2\x80\xa2   to impose civil monetary penalties, including settlements, under section 1176 of the Act\n       for a covered entity\xe2\x80\x99s failure to comply with certain requirements and standards;\n   \xe2\x80\xa2   to investigate complaints of noncompliance with the HIPAA Security Rule and to make\n       decisions regarding the interpretation, implementation, and enforcement of it; and\n   \xe2\x80\xa2   to conduct compliance reviews to determine whether covered entities are complying with\n       the applicable administrative simplification provisions (68 Fed. Reg. 60694\n       (Oct. 23, 2003)).\n\nThe Final Rule for the enforcement section of the HIPAA Administrative Simplification\namended 45 CFR subtitle A, subchapter C, parts 160 and 164, and was effective as of March 16,\n2006. The Final Rule added subpart E to part 160, including section 160.402(a) relating to civil\nmoney penalties:\n\n       Subject to \xc2\xa7 160.410, the Secretary will impose a civil money penalty upon a\n       covered entity if the Secretary determines that the covered entity has violated an\n       administrative simplification provision. [See 45 CFR \xc2\xa7 402(a). See also\n       71 Fed. Reg. 8427 (Feb. 16, 2006).]\n\nThe final rule also revised section 160.300 by eliminating the words \xe2\x80\x9cand the applicable\nstandards, requirements, and implementation specification of subpart E of part 164 [HIPAA\nPrivacy Rule] of this subchapter\xe2\x80\x9d and substituted the words \xe2\x80\x9cand parts 162 and 164 of this\nsubchapter.\xe2\x80\x9d This change made subpart C, \xe2\x80\x9cCompliance and Investigations,\xe2\x80\x9d applicable to all\nthe HIPAA implementing rules, including the HIPAA Security Rule. Before this revision,\nregulations for conducting compliance reviews of the HIPAA Privacy Rule\xe2\x80\x99s standards applied\n\n\n                                              4\n\x0conly to OCR. As a result of the revision, the same regulations now allow CMS to conduct\ncompliance reviews of the HIPAA Security Rule\xe2\x80\x99s standards.\n\nLIMITED ACTION TO ENSURE COMPLIANCE\n\nFrom 2003 through the time of this audit, CMS had taken limited action to ensure that covered\nentities complied with the HIPAA Security Rule. For the most part, these actions consisted of\nfollowing up on complaints it received. As of August 24, 2007, CMS had not conducted any\ncompliance reviews of covered entities to determine whether the HIPAA Security Rule was\nbeing properly implemented.\n\nCOMPLIANCE REVIEW PROCEDURES NOT ESTABLISHED\n\nCMS has had the authority and responsibility to interpret, implement, and enforce HIPAA\nregulations since 2003. The February 16, 2006, Federal Register published implementing\nregulations giving CMS a mechanism to conduct compliance reviews. However, as of\nAugust 24, 2007, CMS had not established any policies or procedures for conducting compliance\nreviews at covered entities. CMS officials explained that they were not conducting HIPAA\nSecurity Rule compliance reviews because they relied solely on complaints to promote voluntary\ncompliance. This approach has met with limited success because CMS has received very few\ncomplaints regarding potential HIPAA Security Rule violations. 2\n\nELECTRONIC PROTECTED HEALTH INFORMATION AT RISK\n\nAs of August 24, 2007, CMS had not implemented proactive compliance reviews and therefore\nhad no effective way to determine whether covered entities were complying with HIPAA\nSecurity Rule provisions. Nor did CMS know how vulnerable ePHI was to attack by individuals\nintent on accessing and misusing protected health information.\n\nAs part of our audit of CMS, we audited the HIPAA Security Rule implementation at one\nhospital and found significant vulnerabilities in the hospital\xe2\x80\x99s systems and controls intended to\nprotect ePHI. In addition, we began audits at seven other hospitals around the country. The\npreliminary results have also identified significant vulnerabilities with the hospitals\xe2\x80\x99\nimplementation of the administrative, technical, and physical safeguard provisions of the HIPAA\nSecurity Rule. These vulnerabilities place the confidentiality and integrity of ePHI at risk and\nwould not generally be included in complaints.\n\nRECOMMENDATION\n\nWe recommend that CMS establish policies and procedures for conducting HIPAA Security\nRule compliance reviews of covered entities.\n\n\n\n2\n \xe2\x80\x9cAs of October 31, 2005, OCR had received and initiated review of over 16,000 complaints and had closed\n68 percent of the complaints; at the same time, CMS had received and initiated review of 413 complaints and closed\n67 percent of the complaints\xe2\x80\x9d (71 Fed. Reg. 8424 (Feb. 16, 2006)).\n\n                                                      5\n\x0cCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nCMS did not agree with our findings because it believes that its complaint-driven enforcement\nprocess has furthered the goal of voluntary compliance. CMS agreed, however, that compliance\nreviews are a useful enforcement tool as part of a more comprehensive enforcement strategy that\nalso includes complaint investigation and resolution, outreach, education, and working closely\nwith industry to identify and correct security issues.\n\nCMS agreed with our recommendation to establish specific policies and procedures for\nconducting compliance reviews of covered entities but emphasized that compliance reviews are\njust one of several tools that can be used to promote compliance as part of a comprehensive\nenforcement strategy.\n\nCMS\xe2\x80\x99s comments are included in their entirety in the Appendix.\n\nOFFICE OF INSPECTOR GENERAL RESPONSE\n\nAlthough CMS\xe2\x80\x99s complaint-driven enforcement process has furthered the goal of voluntary\ncompliance, the significant vulnerabilities we identified at hospitals throughout the country\nwould not generally have been identified in HIPAA Security Rule complaints. In fact, as of\nOctober 31, 2005, CMS received only 413 potential Security Rule complaints out of more than\n16,000 total HIPAA complaints HHS received. Adding compliance reviews of covered entities\nto its oversight process will enhance CMS\xe2\x80\x99s ability to determine whether the HIPAA Security\nRule is being properly implemented.\n\n\n\n\n                                             6\n\x0cAPPENDIX\n\x0c  ~S\xc2\xa3.RV1CE;S\n   ~ S\xc2\xa3.RVIC~.\n                                                                                                                                                  APPENDIX\n\n(~ ~      DEPARTMENT OF HEALTH & HUMAN SERVICES                                                                          Centers\n                                                                                                                         Centers for  Medicare &\n                                                                                                                                  for Medicare\n                                                                                                                                                   Page 1 of 3\n                                                                                                                                               & Medicaid\n                                                                                                                                                 Medicaid Services\n                                                                                                                                                          Services\n\n ~<~~\n ~.:~\n( g-l.\'" . DEPARTMENT OF HEALTH & HUMAN SERVICES\n\n  lt\xc2\xa1"d3a~\n                                                                                                                         Office\n                                                                                                                         Officeof\n                                                                                                                                ofthe\n                                                                                                                                   theAdministrator\n                                                                                                                                       Administrator\n                                                                                                                         Washington, DC\n                                                                                                                         Washington, DC 20201\n\n\n\n\n                 DATE:                JUN\n                                      JUN 3302008\n                                            0 2008\n\n\n\n\n                                                                     l:~\n                 TO:                 Daniel R.\n                                     Daniel R. Levinson\n                                     Inspector General\n\n                 FROM:                        ~~/b"\'~~~\n                 SUBJECf:                Office\n                 SUBJCl: Office ofth pector General ofth           pector\n                                                    (OIG) Draft Report:       General\n                                                                        "Nationwide         (OIG) Draft Report: "Nationwide Review of the\n                                                                                    Review of\n\n\n                                         Centers for Medicare &             & Medicaid Services Health Insurance Portability and\n                                         Accountability Act of 1996 Oversight" (A-04-07-05064)\n\n\n                 Thank you for the opportunity to                   to review and   and comment on        on the\n                                                                                                             the above\n                                                                                                                 above OIG\n                                                                                                                        OIG Draft\n                                                                                                                              Draft Report.\n                                                                                                                                    Report. The OIG\n                 report     is based\n                 report is based          onconducted\n                                  on an audit  an audit      conducted\n                                                        in August             in August\n                                                                  of2007 to evaluate           of2007\n                                                                                     the effectiveness of\n to evaluate the effectiveness of the\n\n                 Centers for Medicare &              & Medicaid Services\' (CMS)          (CMS) oversight\n                                                                                                     oversight and\n                                                                                                                 and enforcement\n                                                                                                                     enforcement ofofcovered\n                                                                                                                                      covered\n                 entities\' implementation of              of the\n                                                              the Health Insurance\n                                                                                InsurancePortability\n                                                                                                 Portability and\n                                                                                                               and Accountability\n                                                                                                                    Accountability Act (HIP   AA)\n                                                                                                                                        (HIPAA)\n                 Security Rule.Rule. The         draft    report     stated    that   CMS\'      security    enforcement   actions\n                                           The draft report stated that CMS\' security enforcement actions have been limited       have  been  limited\n                 and have not provided effective oversight or encouraged compliance of                                  of the Security Rule by\n                 covered entities. CMS         CMS does not agree with the OIG\'s finding, as our experienceover\n                                                       does    not    agree    with    the   OIG\'s     finding,  as our experience   overthe\n                                                                                                                                          the past\n                                                                                                                                               past\n                 three    years illustrates\n                 three years         ilustrates the effectiveness of             of our enforcement approach. approach. We believe\n                                                                                                                              believe that our\n                 complaint-driven\n                 complaint-driven  enforcement enforcement\n                                               process has furtheredprocess\n                                                                     the goal of has\n                                                                                 \n     furthered the goal of voluntary compliance in\n                 accordance with the principles set                 set out in in the\n                                                                                   the HIPAA\n                                                                                         HIPAA Enforcement\n                                                                                                       Enforcement Rule\n                                                                                                                      Rule at\n                                                                                                                           at 45\n                                                                                                                              45 C.F.R.\n                                                                                                                                 C.F.R. 160.304.\n                                                                                                                                         160.304.\n\n                 As of April 21, 2005, CMS has received and processed more than 300\n                 As of April \n                                                              300 security\n                                                                                                 security complaints from\n                 individuals and organizations across the country.\n                                                              country. These\n                                                                         These complaints\n                                                                                complaints areare widespread\n                                                                                                  widespread and\n                                                                                                               and diverse,\n                                                                                                                    diverse,\n                 not only geographically, but\n                                            but also with  respect\n                                                     with respect   to the type  of\n                                                                           type of  entity  complained   against.\n                                                                                            complained against.\n                 Complaints have been filed against\n                                               against all\n                                                       all sizes\n                                                            sizes and\n                                                                   and types\n                                                                       types of\n                                                                             ofcovered\n                                                                                 covered entities\n                                                                                           entities including\n                                                                                                    including solo\n                                                                                                              solo\n                 practitioners, hospitals, pharmacy chains and health plans.      In\n                                                                           plans. In addition,   the complaints  implicate a\n                 range of\n                        of Security Rule issues, from inappropriate\n                                                       inappropriate access\n                                                                         access controls\n                                                                                controls for\n                                                                                           for systems\n                                                                                               systems containing\n                                                                                                        containing\n                 electronic protected health\n                                       health information\n                                              information to aa lack\n                                                                  lack of\n                                                                       of policies\n                                                                          policies and\n                                                                                    and procedures\n                                                                                         procedures governing\n                                                                                                      governing device\n                                                                                                                  device and\n                 media\n                 mediadisposaL.\n                         disposal.\n\n                 When CMS has communicated\n                                  communicated with\n                                                  with covered\n                                                       covered entities\n                                                                 entities against\n                                                                          against which\n                                                                                  which aa complaint\n                                                                                           complaint has has been\n                                                                                                             been filed,\n                                                                                                                   filed,\n                 they have made appropriate and expedient efforts to comply and to mitigate each situation.\n                                                                                                          situation. Thus\n                                                                                                                       Thus\n                 far, CMS\'\n                      CMS\' investigations\n                            investigationsofofcomplaints\n                                               complaintsshow\n                                                          showthat\n                                                                 thatfew\n                                                                      fewififany\n                                                                              anyof\n                                                                                  ofthe\n                                                                                     theviolations\n                                                                                         violationshave\n                                                                                                     havebeen\n                                                                                                            beenthe\n                                                                                                                  the result\n                                                                                                                       result\n                 of\n                 of intentional non-compliance or malicious intent. We further note that that CMS\n                                                                                              CMS and and the\n                                                                                                           the Office\n                                                                                                               Offce forfor\n                 Civil Rights\n                       Rights (OCR),\n                              (OCR), inin conjunction\n                                          conjunction with\n                                                      with the\n                                                            the Office\n                                                                Office of\n                                                                        ofGeneral\n                                                                           General Counsel,\n                                                                                    Counsel, have\n                                                                                               have both\n                                                                                                      both adopted\n                                                                                                            adopted this\n                                                                                                                      this\n                 complaint based,\n                            based, voluntary\n                                   voluntary compliance\n                                              compliance enforcement\n                                                          enforcement approach\n                                                                          approach for\n                                                                                    for complaint\n                                                                                        complaint allegations\n                                                                                                     allegations that\n                                                                                                                  that\n                 implicate\n                 implicate both the Privacy and Security Rule. Complaints\n                                                                  Complaintsthatthatappear\n                                                                                     appeartoto involve\n                                                                                                 involve both\n                                                                                                          both rules\n                                                                                                                rules are\n                                                                                                                       are\n\x0c                                                                                                                                   APPENDIX\nPage 22 -- Daniel\nPage       Daniel R.\n                  R. Levinson\n                     Levinson                                                                                                       Page 2 of 3\n\n\nhandled cooperatively\nhandled cooperatively between\n                        between CMS\n                                 CMS and\n                                      and OCR,\n                                           OCR, and\n                                                  and if an\n                                                         an onsite\n                                                            onsite evaluation\n                                                                   evaluation is\n                                                                              is deemed\n                                                                                 deemed\nappropriate, the\nappropriate,  the two\n                  two agencies\n                      agencies coordinate\n                               coordinate that\n                                          that activity.\n                                               activity.\n\nIn  summary,\nIn summary, while we while    we\n                     differ with the differ   withthatthe\n                                     OIG\'s findings        OIO\'s\n                                                        CMS\'          findings\n                                                             approach to enforcement that\n                                                                                      of\n CMS\' approach to enforcement of the the\nSecurity Rule\nSecurity      Rule isis inadequate,\n                           inadequate, we     we do do agree\n                                                        agree that\n                                                                 that compliance\n                                                                        compliance reviewsreviews are a useful\n                                                                                                        useful enforcement tool\n                                                                                                                            tool\nas part\nas  part of of aa more\n                   more comprehensive\n                            comprehensive enforcementenforcement strategystrategy that alsoalso includes complaint\n                                                                                                         complaint investigation\n                                                                                                                    investigation\nand resolution,\nand    resolution, outreach,\n                         outreach, education,\n                                        education, and working closely with industry to identify and correct\nsecurity\nsecurity     issues.\n\nWe address\nWe address the\n           the report\'s\n               report\'s Recommendation/Suggestions\n                        Recommendation/Suggestions below.\n                                                   below.\n\nOIG\nOIG Recommendation\n    Recommendation\n\n\nThe 010\nThe  GIG recommends that CMS establish policies and procedures for conducting compliance\nreviews of covered entities.\n\nCMS Response\n\nThe 010GIG equates the effectiveness\n                                  effectiveness ofCMS\'   ofCMS\' enforcement\n                                                                       enforcementactivities\n                                                                                      activitieswith\n                                                                                                withthe\n                                                                                                      the presence\n                                                                                                          presence oror absence\n                                                                                                                        absence\nof\nof a a compliance\n     compliance           review\n                review program.       program.\n                                We agree               We\n                                         that compliance     agree\n                                                         reviews       that\n                                                                 are part     compliance reviews are part of a comprehensive\n                                                                          of a\n\n\n\nenforcement strategy, but also feel that they are but one of                        of several tools that can be used to\npromote compliance. GIG\'s           OIO\'ssingular\n                                               singularfocusfocuson   oncompliance\n                                                                           compliancereviews\n                                                                                       revie~sneglects\n                                                                                                 neglectsthe\n                                                                                                           the value\n                                                                                                               value that\n                                                                                                                      that other\n                                                                                                                           other\nmethods, such as complaint investigation and resolution, increased outreach to industry, and\neducation, have demonstrated in improving compliance.\n\nNonetheless, CMS does not disagree with the OIG                          010 recommendation for the establishment of           of a\nspecific policy and accompanying procedures for conducting compliance                      compliance reviews of     of covered\n                                                                                                                        covered\nentities against which a complaint      complaint has    has been filed\n                                                                      filed or\n                                                                             or entitIes\n                                                                                entitIes that have been\n                                                                                                      been deemed appropriate\nfor review by other means.       means. At    At the\n                                                   the time\n                                                         time ofofthe\n                                                                    the audit,\n                                                                          audit, CMS\n                                                                                 CMS waswas already developing a Statement of\nWork to secure professional services            services conduct compliance reviews,\n                                                             to conduct     compliance    reviews, as as authorized\n                                                                                                         authorized by by the\nEnforcement Rule. AAcontract         contractwas   was executed\n                                                          executed with with PriceWaterhouseCoopers\n                                                                              PriceWaterhouseCoopers in       in 2007,\n                                                                                                                  2007, which\nincludes onsite reviews of              of certain covered entities. The        The onsite review not only assesses the\n                                                                                     onsite  review   not  only   assesses\nentity\'s\nentity\'s     compliance\n         compliance                 of \n the facts of the allegations,\n                                  with\n                     with the facts                              allegations, butbut includes\n                                                                                      includes aa more\n                                                                                                   more comprehensive\n                                                                                                          comprehensive\nassessment\nassessment of \n     of the entity\'s\n                              entity\'soverall\n                                           overall security\n                                                       securitypractices,\n                                                                   practices,riskriskassessment,\n                                                                                      assessment,policies\n                                                                                                      policiesand\n                                                                                                                andprocedures\n                                                                                                                     procedures andand\nthe like. AAlist    listofofpotential\n                              potentialpolicies,\n                                             policies,procedures\n                                                            proceduresand   anddocuments\n                                                                                 documents thatthat could\n                                                                                                    could bebe included\n                                                                                                                included in\n                                                                                                                          in these\n                                                                                                                             these\nreviews\nreviews was   was posted to       to the\n                                      the eMS\n                                            eMS Website          in  late\n                                                     Website in late 2007.-2007."   This initiative  complements      the existing\n                                                                                         initiative complements the existing\ncomplaint\ncomplaint management\n                 management process     process at   at CMS,\n                                                         CMS, and and was\n                                                                        was anan appropriate\n                                                                                 appropriate step\n                                                                                                step towards\n                                                                                                      towards expanding\n                                                                                                                 expanding the\n                                                                                                                             the\nenforcement tactics to monitor compliance with the Rule. CMS                            CMS and and OIG\n                                                                                                     010 are\n                                                                                                           are currently\n                                                                                                                currently\nconsidering\nconsidering an       an arrangement\n                          arrangement to       to collaborate\n                                                   collaborate on  on future\n                                                                         future compliance\n                                                                                 compliance reviews\n                                                                                                reviews and\n                                                                                                          and enforcement\n                                                                                                               enforcement efforts\n                                                                                                                               efforts\nforfiscal\nfor   fiscal\n           year year\n                2009 to 2009     tooncapitalize\n                         capitalize                   on the\n                                       the review strengths of\n review strengths ofthe   the OIG,\n                                                                                              010, and\n                                                                                                     and the\n                                                                                                          the HIPAA\n                                                                                                               HIPAA security\n                                                                                                                        security\nexpertise\nexpertise of    of CMS.\n                     CMS.\n\nAs\nAs mentioned\n   mentionedabove,\n             above, CMS\n                    CMSfeels\n                        feelsthat\n                              thatoutreach\n                                   outreachand\n                                            andeducation\n                                                educationare\n                                                          are also\n                                                              also critical\n                                                                   criticalparts\n                                                                            partsofofan\n                                                                                      an"effective\n                                                                                         \xc2\xb7effective\nenforcement\n enforcement strategy\n                strategy and\n                          and we\n                              we have\n                                 have now\n                                      now begun\n                                           begun targeting\n                                                  targeting issues\n                                                             issues that\n                                                                     that have\n                                                                          have been\n                                                                                been identified\n                                                                                      identified during\n                                                                                                 during\nthe  complaint   and  review processes. We  believe  that the combination    of enforcement\n the complaint and review processes. We believe that the combination of enforcement and        and\neducation\n education is\n            is an\n               an appropriate\n                   appropriate approach\n                               approach that wil\n                                             willeffectively\n                                                  effectivelyreach\n                                                               reachthe\n                                                                      theindustry\n                                                                           industryon\n                                                                                    onaabroader\n                                                                                         broaderscale,\n                                                                                                   scale,\n\x0c                                                                                                                APPENDIX\n Page33--Daniel\nPage     DanielR.\n                R.Levinson\n                  Levinson                                                                                       Page 3 of 3\n\n\n andalso\nand  alsofurnish,\n          furnish,as\n                   asappropriate,\n                      appropriate,technical\n                                     technical assistance\n                                               assistance toto covered\n                                                               covered entities\n                                                                         entities to\n                                                                                   to help\n                                                                                       help them\n                                                                                             them achieve\n                                                                                                    achieve\n compliance.  In 2008,   CMS    began  to post case  studies  based  on  complaint\ncompliance. In 2008, CMS began to post case studies based on complaint data on to the  data  on  to the CMS\n                                                                                                         CMS\n Website. The\nWebsite.   The purpose\n               purpose isis to\n                             to enable\n                                enablethe\n                                        theindustry\n                                            industrytotobenefit\n                                                         benefitfrom\n                                                                  from the\n                                                                        the issues\n                                                                             issuesidentified\n                                                                                      identifiedfrom\n                                                                                                  from anan\n individualcase\nindividual  caseor\n                 orcompliance\n                    compliancereview.\n                                   review. Other\n                                            Other educational\n                                                   educational tools\n                                                                 tools and\n                                                                       and activities\n                                                                              activities already\n                                                                                         already in in place\n                                                                                                       place\n includeFrequently\ninclude  Frequently Asked\n                      Asked Questions,\n                              Questions, guidance\n                                          guidance documents,\n                                                     documents, and and educational\n                                                                         educational papers,\n                                                                                        papers, asas well\n                                                                                                     well as\n                                                                                                           as\n CMSparticipation\nCMS    paricipation at\n                     at industry\n                        industry conferences.\n                                  conferences. These\n                                                 These resources     heighten the\n                                                        resources heighten       the industry\'s\n                                                                                     industry\'s\n understanding  of HIP   AA   security requirements   and  the  various  means\nunderstanding of HIPAA security requirements and the various means by which       by  which entities\n                                                                                               entities can\n                                                                                                        can\n comply.\ncomply.\n\nAgain, we\nAgain, we appreciate\n          appreciate the\n                     the opportunity\n                         opportunity to\n                                     to review\n                                        review and\n                                               and comment\n                                                   comment on\n                                                           on this\n                                                              this draft\n                                                                   draft report.\n                                                                         report.\n\x0c'